GDPR Inc.: Profiting From Strict New Security Rules

While most chief privacy officers are sweating bullets, some firms couldn't be more delighted by the looming May 25 deadline for the General Data Protection Regulation.

The strict European Union-mandatedsecurity regulations have “helped us grow our company significantly,” Hilary Wandall, chief data governance officer at TrustArc, a privately-held GDPR-compliance and security firm that is helping more than 800 companies worldwide, tells Barron's.

TrustArc has worked on GDPR compliance since 2016, when its final rules were ratified, and intensified its workload the past year as it helped hundreds of companies worldwide in health care, financial services and retail. It expects the process to start all over again, as Asia, the Middle East, U.S., and other regions adopt similar laws, says Wandall, who has worked on GDPR since 2012, when the legislation was first proposed by the European Commission.

"We have another Y2K happening," Hitesh Sheth, CEO of cybersecurity company Vectra Networks, tells Barron's, alluding to the mad dash to avoid computer bugs as computer systems transitioned to the year 2000. This time, however, the threat is real, he says.

TrustArc and Vectra are among the tech companies, consulting firms, and law practices specializing in getting everyone else up to speed to comply GDPR in what market researcher Gartner estimates is a multibillion-dollar enterprise.

They won’t divulge what they’re raking in because they’re private companies, but PricewaterhouseCoopers, which is offering consulting on GDPR, gives us a pretty good idea. It found 88% of 300 companies it surveyed said they spent more than $1 million on GDPR preparations, and 40% said they spent more than $10 million.

“There was a big surge of new clients a year ago, and a second wave the last month as companies who thought GDPR did not apply to them” scrambled to meet GDPR standards, Jay Cline, PwC’s GDPR point person, tells Barron’s. “That is the deep impact of GDPR.”

He calls the race for compliance the “biggest spike” in the more than 20 years PwC has had a privacy practice. And he expects the “ripple effect” of GDPR to soon spread to Canada, the U.S., and Australia.

Angela Saverice-Rohan, who manages the national privacy practice at Ernst & Young, has been “deep in this space for 18 months” consulting Fortune 500 companies, many of whom “had nothing in place,” she tells Barron’s.

It hasn’t always been easy, especially in finding technology partners with GDPR solutions. “We discovered there were some snake oil salesmen” trying to profit from the situation, she says.

Tech companies, as well as any commercial enterprise handling data, are scrambling to comply with the stringent rules—or risk paying stiff fines of 20 million euros or 4% of total revenue, whichever is higher. Citing GDPR, Evercore ISI Research analyst Anthony DiClemente recently trimmed his 2019 revenue estimates for Facebook (FB) by 1.5% and lowered his target price of its shares to $200 from $205.

According to an IBM survey of 1,500 business leaders worldwide that was released last week, some 76% of respondents see it as a chance to create new business opportunities through improved data practices with clients, yet only 36% expect to be fully compliant with GDPR rules.

For example, 31% of respondents said their company had updated its incident-response measures to comply with GDPR’s requirement to report data breaches to relevant authorities within 72 hours.

GDPR is the “biggest disruptive force” to impact data security in business models across industries, Cindy Compert, chief technology officer, data security and privacy, at IBM Security, tells Barron’s. “It is regulation with teeth at a time when consumer awareness and attitudes have changed” on data security and privacy, she says.

For many, the solution has been simple: 70% of organizations say they are disposing of data in advance of GDPR, and 80% are reducing the amount of personal data they plan to keep, according to the IBM survey.

"[Companies] are doing spring cleaning," Compert says.

While GDPR has been a four-letter word for some companies—cross-device identity firm Drawbridge and mobile-marketing platform Verve decided to drop out of the EU—others have been in furious preparation.

Companies such as Facebook that rely heavily on user data collection and analysis have taken steps to minimize the damage. In a tweak to its terms and conditions before the law goes into effect, Facebook is shifting responsibility for all users outside the U.S., Canada, and the EU—some 1.5 billion people—from its international headquarters in Ireland to its main offices in Menlo Park, Calif. Ostensibly, those users will be governed by U.S. law rather than Irish law.

“We're going even further to comply to the new rules” in Europe, Facebook CEO Mark Zuckerberg told members of the European Parliament Tuesday in Brussels, where he discussed privacy. He said Facebook will be "fully compliant" on Friday.

Fordham Law School professor Cameron Russell calls the circumstances leading to GDPR “a perfect storm” of political and business circumstances, starting with Edward Snowden’s disclosure in 2013 of global surveillance programs and intensifying amid a rash of data incidents the past several years, most notably political consultant Cambridge Analytica’s harvesting of information from 87 million Facebook profiles without their permission.

[It should be noted that large companies like Facebook with dominant market positions and vast financial resources are in far better shape to adapt to GDPR and its financial and legal commitments than smaller tech firms, he adds.]

Dan Or-Hof, chief privacy officer of Otonomo, an automotive data-services platform for connected cars in Israel, has been “living with [GDPR] for two years” since its guidelines were finalized, he tells Barron’s. “Everyone in C-level has to get involved to understand the legal and technical consequences.” Among the start-up’s tweaks: Revamping its privacy policy in writing and presentation, and enhancing its 72-hour breach notification system.

Tech start-up Harvesting, which has built a credit-risk system for farmers in emerging markets, is automating its process of identifying sensitive personal and financial information when that data is uploaded, and notifying users. Users can choose to remove some data manually or let Harvesting's system automatically handle it.

It’s an era of “trust tension,” in which the personalized experience that companies strive to deliver is colliding with consumers’ heightened distrust over security and privacy, Rob Glickman, chief marketing officer for customer-data platform Treasure Data, tells Barron’s. The firm is helping more than 300 large companies, two-thirds of them in Japan, get up to speed on GDPR.

Of course, getting to the starting line in good shape doesn’t end with GDPR. There are 28 data-privacy regulatory entities in Europe, and rules similar to GDPR are under consideration from California to Israel, says Paul Lynch, CEO of Assembla, a source-code management platform.

“If it isn’t Europe, it could be Asia, the Middle East, or the U.S.,” he says. “If you don’t comply, the consequences can be devastating.”

Corrections & Amplifications

The European General Data Protection Regulation takes effect Friday. In an earlier version of this article, the law was incorrectly called General Data Privacy Regulation.

Sign up to Review & Preview, a new daily email from Barron’s. Every evening we’ll review the news that moved markets during the day and look ahead to what it means for your portfolio in the morning.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.